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Introduction 


We presented our Information Systems audit on the Consolidated Environmental Data Access and 
Retrieval System (CEDARS) to the Legislative Audit Committee in September 2009. The report contains 
two recommendations relating to: 


e Implementing policy for migration. 
e Defining specific steps for recovering from system interruptions. 


We requested and received information from the Department of Environmental Quality regarding 
progress toward implementation of the report recommendations. This memorandum summarizes 
department responses and our follow-up work. 


Background 


A critical part of Department of Environmental Quality (DEQ) program administration is maintenance of 
environmental data. System operations include management of water quality, air quality, hazardous 
waste, as well as a multitude of other environmental permitting programs. To assist in this task, the 
agency developed multiple databases and systems accommodating data within the various programs. At 
peak, 175 individual databases were in use throughout the department. 


In calendar year 2000, DEQ began an effort to integrate the various program systems and databases into a 
single Oracle database with a shared web application used to access data. CEDARS was first placed into 
production in 2002 as an integrated database storing information for sites of environmental interest to 
DEQ. At the time of development, DEQ management had planned to integrate all individual databases 
into CEDARS depending on funding and departmental needs. To date, DEQ has migrated five 
applications into CEDARS including air quality, enforcement/legal, facility identification, industrial and 
energy minerals, and waste and underground tank management. 
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Follow-up Discussion 


The following sections summarize the report recommendations and the progress towards implementing 
the recommendations. 


Implementation of Best Practices 


The Montana Information Technology Act (MITA) outlines state law for system development. The 
State’s Chief Information Officer has established new policy on project management. The Project 
Management Interim Policy, approved March 3, 2009, establishes the requirements for the utilization of 
project management methodologies as defined by the State of Montana Project Management Office. In 
addition to MITA and state policy, best practices suggest standard system development organization for a 
project like CEDARS should include a feasibility and requirements study, requirements definition, 
detailed design, programming, testing, installation and post-implementation review. 


During our audit, we were unable to identify documentation verifying DEQ followed best practices when 
developing CEDARS. The lack of documentation prevented us from confirming compliance with MITA, 
in addition to determining if DEQ used organized, deliberate, and cost effective methods when 
developing CEDARS. Furthermore, DEQ did not document the amount of work performed, resources 
required, and time involved to complete the migration of the five sub-systems in CEDARS. As a result, 
DEQ could not provide the overall cost and time spent on CEDARS, or the additional cost required to 
fully complete CEDARS migration. Also, DEQ had not documented its processes to ensure future 
migration of systems into the CEDARS environment is consistent. 


Recommendation #1 


We recommend the Department of Environmental Quality comply with system development law and 
policy by implementing policy for migration and documenting all steps of the process. 


Implementation Status: Being Implemented 


DEQ management indicated they have a draft system development policy they are working on. As a part 
of this effort, they are working on a formal system development methodology that is also currently in 
draft form. 


Disaster Recovery/Business Continuity Plan 


State law regarding security responsibilities of departments for data direct each department head to 
implement appropriate cost-effective safeguards to reduce, eliminate, or recover from identified threats to 
data. In addition, to mitigate the damage resulting from major and minor disasters, best practices suggest 
organizations test, implement, and maintain a disaster recovery/business continuity plan. The organization 
should develop policies, plans, and procedures to regain access to data, workspace, lines of 
communication, and critical business processes. 


According to DEQ management, high turnover affected limited staffing resources which focused on 
continued development of CEDARS business processes. This development included time sensitive 
responsibilities such as troubleshooting errors, developing new functionality, and supporting current 
business processes. While the department had established a service level agreement with the Department 
of Administration, as well as its own continuity of operations plan, these documents did not contain 
specific step by step details regarding the recovery process for CEDARS. 
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Recommendation #2 


We recommend the Department of Environmental Quality develop a Disaster Recovery/Business 
Continuity Plan specifically defining steps for recovering from service interruptions to the Consolidated 
Environmental Data Access and Retrieval System. 


Implementation Status: Not Implemented 


The Department of Environmental Quality did not concur with this recommendation. In its response to the 
audit, the department indicated it believed the service level agreement with the Department of 
Administration clearly provided full recovery of CEDARS information and functionality in the event of a 
disaster. 


Subsequent to this audit, our office conducted a statewide audit regarding disaster recovery planning 
(10DP-01), which included CEDARS within the analysis. The statewide audit noted that state agency 
implementation of disaster recovery planning was inconsistent and varied in level of completeness, and 
agencies needed guidance for planning. The statewide audit includes a recommendation to the 
Department of Administration to develop policy, including criteria, for disaster recovery planning. 
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